The Defense Department took a big step forward in implementing zero trust architecture and creating a new level of cybersecurity. The Defense Information Systems Agency (DISA) said the Thunderdome Other Transaction Authority (OTA) agreement met its criteria for success.
“Today, I’m very proud to announce that we have concluded that prototype. And we’ve successfully rolled out this series of technologies to over 1,600 users across three different locations, from the Pacific all the way to here in Washington and the Pentagon and other locations,” said Chris Barnhurst, deputy director of DISA at an FCW/NextGov workshop on Feb. 16.
“I think for me, it’s very exciting that 18-to-20 months after we conceptualized this, we’ve shown that it can work, we’ve shown that it can work on a global scale. And we’re now getting ready to extend that to more and more locations going forward,” Barnhurst said.
Zero trust architecture is a soup to nuts approach to cybersecurity that protects every aspect of internet use, including users, devices, network and applications.
“We went through an operational assessment and testing phase, as well as red teaming. And the results of all those activities and interactions was an acknowledgment that, yes, the prototype had met the criteria that the government laid out for success,” said Barnhurst in an interview with Federal News Network.
Thunderdome represents a collection of technologies that are integrated into the zero trust ecosystem or architecture. DISA planned it as the replacement for the Joint Regional Security Stacks (JRSS). DoD started using JRSS in 2013, as a way to reduce the number of internet entry points that could be vulnerable to hackers. The system had weaknesses, and a 2019 DoD Inspector General’s report singled it out for failing to meet many of its cybersecurity goals.
DISA plans to gradually reduce the use of JRSS, between now and 2027, the target date for implementing zero trust.
As part of Thunderdome, DISA used two main commercial applications — software-defined networking (SD-WAN) and Secure Access Service Edge (SASE). SASE delivers wide-area networking with cybersecurity both on-site and in the cloud as DoD expands its reliance on cloud data storage.
“We brought these technologies together in an integrated way. And over the last nine months or so, we’ve been basically building a prototype that brings these things together to demonstrate that, yes, they will work to deliver all of the tenants of zero trust that we would expect as a department,” Barnhurst said.
One of the key tenants of zero trust involves identity. Thunderdome will use identity verification, including public key infrastructure (PKI), which uses a certificate to validate data being sent from one point to another, and identity credentialing and access management (ICAM). ICAM verifies a person’s identity and links them to their allowed access privileges.
“When we talk about zero trust, what we’re really talking about is role-based access. Does the user have the right credentials, and the right roles assigned to access data? We’re moving from this defense in depth mindset, to one where we want to protect data. We want to make sure that the right people, on the right trusted device with the right access, are the ones who get access to various datasets,” Barnhurst said.
At the end of the day, all the different applications within the zero trust architecture may be working, but individuals and their agencies still need to sign on. Barnhurst said it will require many DoD employees to change their mindset.
“We can provide the means to achieve zero trust. But if we don’t change the department’s mindset, how we tag data and these other kind of critical things, we won’t fully get there.”